Project Puchufy

Frameworks and Models Comparison

,

This post reviews several widely used frameworks and models, organized into four categories: Attack and Defense, Testing, Privacy and Compliance, and Governance and Management. For each, it provides a simple definition, notes comparable frameworks or models, and highlights the key differences that set them apart.

MITRE ATT&CK

Attack & Defense | Global, All industries
  • A detailed list of hacker tactics and techniques to understand how cyberattacks happen.
  • Similar to Cyber Kill Chain as both explain attack steps.
  • More detailed and regularly updated; focuses on real-world hacker behavior.

Cyber Kill Chain

Attack & Defense | Global, All industries
  • A model showing the stages of a cyberattack, from start to finish.
  • Like MITRE ATT&CK, it explains attacks step-by-step.
  • Simpler and more high-level, with fewer details than MITRE ATT&CK.

G7 FE-TLPT

Testing | Financial sector, mainly Europe
  • G7’s Financial Entities Threat-Led Penetration Testing. It is a specialized testing method to simulate cyberattacks on financial institutions.
  • Similar to CBEST, TIBER-EU, HKMA, and ICAST as they all focus on realistic attack simulations.
  • Specifically tailored for financial entities and EU requirements.

HKMA

Testing | Hong Kong
  • Hong Kong Monetary Authority Framework. Cyber testing and guidance for Hong Kong’s financial sector.
  • Similar to CBEST and TIBER-EU.
  • Tailored for Hong Kong’s banking rules and environment.

ICAST

Testing | Asia, especially Hong Kong
  • Intelligence-led Cyber Attack Simulation Testing. It tests how well banks and financial institutions handle targeted cyberattacks.
  • Similar to CBEST and TIBER-EU.
  • Built around Hong Kong’s regulations and local needs.

TIBER-EU

Testing | European Union
  • Threat Intelligence-based Ethical Red Teaming. EU-wide standard for realistic red team cyberattack simulations.
  • Same family as CBEST, ICAST, FE-TLPT.
  • Designed for EU-wide coordination and cross-border banking security.

AASE

Testing | Global
  • Adversarial Attack Simulation Exercise. General framework for running realistic cyberattack exercises.
  • Similar to TIBER-EU and CBEST.
  • Broader and not tied to a specific region or financial regulation.

CBEST

Testing | United Kingdom
  • Critical National Infrastructure Banking Supervision and Evaluation Testing. UK program for realistic attack simulations on financial institutions.
  • Similar to TIBER-EU, ICAST, FE-TLPT.
  • UK-specific with strong regulatory involvement.

PCI DSS

Privacy & Compliance | Global, especially companies handling card payments
  • Payment Card Industry Data Security Standard. Rules to protect credit card information.
  • Similar to ISO 27001 and GDPR in protecting sensitive data.
  • Very specific to credit card and payment systems.

GDPR

Privacy & Compliance | European Union and any company handling EU citizens’ data
  • General Data Protection Regulation. Protects personal data and privacy of individuals in the EU.
  • Similar to PCI DSS (data protection) and ISO 27001 (security).
  • Legal regulation with heavy fines for violations.

SOX

Privacy & Compliance | Mainly USA, publicly traded companies
  • Sarbanes-Oxley Act. Ensures companies are truthful about their financial reporting.
  • Related to FISMA in enforcing laws and accountability.
  • Focuses on preventing fraud in financial reporting, not just cybersecurity.

FISMA

Privacy & Compliance | United States, government agencies
  • Federal Information Security Management Act. U.S. law that sets security requirements for government systems.
  • Related to SOX and NIST CSF as they are all U.S. compliance frameworks.
  • Focuses only on government and federal data security.

HIPAA

Privacy & Compliance | USA, healthcare providers, insurers, related businesses
  • Health Insurance Portability and Accountability Act. Protects the privacy and security of healthcare and patient data.
  • Similar to GDPR (personal data) and PCI DSS (sensitive information protection).
  • Specifically focused on healthcare and medical records.

HITRUST CSF

Privacy & Compliance / Governance | Global, but mainly used in healthcare and highly regulated industries
  • Health Information Trust Alliance Common Security Framework. A framework that combines HIPAA, GDPR, ISO, NIST, and others into one common set of controls.
  • Acts like a bridge between HIPAA, ISO 27001, and NIST CSF.
  • Provides one unified framework instead of juggling multiple compliance rules.

CCPA

Privacy & Compliance | California, USA, and any company doing business with California residents
  • California Consumer Privacy Act. Gives California residents more control over their personal data, including rights to know, delete, and opt out of data sales.
  • Similar to GDPR and Data Privacy Act of the Philippines as all protect individuals’ data privacy.
  • Less strict than GDPR but one of the strongest U.S. state-level privacy laws.

DPA, RA 10173

Privacy & Compliance | Philippines, all companies and organizations handling personal information
  • Data Privacy Act of the Philippines. Protects the privacy and security of personal data of individuals in the Philippines.
  • Similar to GDPR (EU) and HIPAA (healthcare) as it focuses on data privacy and protection.
  • Philippine-specific law with local compliance requirements and the National Privacy Commission overseeing enforcement.

BSP 808

Privacy & Compliance / Financial Regulation | Philippines, banking and financial sector
  • Bangko Sentral ng Pilipinas Circular 808. Sets minimum cybersecurity standards for banks and financial institutions to protect customer accounts and prevent fraud.
  • Similar to CBEST, HKMA, and PCI DSS in protecting financial data.
  • Focused only on Philippine financial institutions and supervised entities.

NIST Cybersecurity Framework (CSF)

Governance & Management | Mainly USA but used worldwide
  • A flexible guide to help organizations manage and reduce cybersecurity risks.
  • Similar to ISO 27001 as both give security best practices.
  • NIST is more practical and step-by-step, while ISO is about certification and compliance.

ISO27001 or ISMS

Governance & Management | Global, All Industries
  • Information Security Management System. A global standard for managing and improving information security.
  • Similar to NIST CSF for security best practices.
  • ISO is international and focuses on management systems, not just technical security.

SOC-CMM

Governance & Management | Global, All Industries
  • Security Operations Center Capability Maturity Model. Measures how effective a security operations center is and how to improve it.
  • Similar to ISO 27001 for continuous improvement.
  • Specifically focused on improving security teams and operations.